Silver Fox APT expands ABCDoor backdoor operations with RustSL loader and tax-themed phishing targeting India, Russia, and additional regions

First reported

04.05.2026 14:57

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

The China-based advanced persistent threat (APT) group Silver Fox conducted phishing campaigns in late 2025 and early 2026 targeting organizations in India and Russia using tax-themed lures to deliver a new Rust-based loader named RustSL, which deploys the ValleyRAT backdoor and a previously undocumented Python-based backdoor called ABCDoor. The operation impacted industrial, consulting, retail, and transportation sectors, with over 1,600 phishing emails observed between January and February 2026. The campaign leveraged phishing emails mimicking tax audit notices or tax violation lists, distributing ZIP/RAR archives from domains such as abc.haijing88[.]com that contained modified open-source RustSL loaders. The backdoor ABCDoor, first deployed in February 2025, enables multi-stage persistence, data collection, remote control, and exfiltration via HTTPS C2 communication. Notable technical features include geofencing checks, sandbox evasion, and a persistence mechanism called Phantom Persistence, which intercepts system shutdown to force a malicious reboot. The group’s targeting has expanded from China to Taiwan, Japan, India, Russia, Indonesia, South Africa, and Cambodia.

Timeline

04.05.2026 14:57 1 articles · 2h ago

Silver Fox deploys ABCDoor backdoor via RustSL loader in tax-themed phishing campaigns targeting India and Russia
In December 2025 and early 2026, Silver Fox conducted phishing campaigns using tax-themed lures to deliver RustSL loaders that deploy ValleyRAT and ABCDoor backdoors. The campaign targeted industrial, consulting, retail, and transportation sectors in India and Russia, with over 1,600 emails observed between January–February 2026. Attack chains involved ZIP/RAR archives hosted on abc.haijing88[.]com containing RustSL variants that perform geofencing and sandbox evasion, with Phantom Persistence enabling stealthy reboot-based execution.
Show sources

Silver Fox Deploys ABCDoor Malware via Tax-Themed Phishing in India and Russia — thehackernews.com — 04.05.2026 14:57
Open in new tab

Information Snippets

Silver Fox APT used tax-themed phishing emails in December 2025 to deliver ZIP/RAR archives containing RustSL loaders targeting Indian and Russian entities.
First reported: 04.05.2026 14:57

1 source, 1 article
Show sources
- Silver Fox Deploys ABCDoor Malware via Tax-Themed Phishing in India and Russia — thehackernews.com — 04.05.2026 14:57
The RustSL loader is a modified open-source shellcode loader and AV bypass framework used to decrypt and execute the ValleyRAT (Winos 4.0) backdoor with custom modules.
First reported: 04.05.2026 14:57

1 source, 1 article
Show sources
- Silver Fox Deploys ABCDoor Malware via Tax-Themed Phishing in India and Russia — thehackernews.com — 04.05.2026 14:57
A new ValleyRAT plugin functions as a loader for the previously undocumented Python-based backdoor ABCDoor, first observed in attacks beginning February–March 2025.
First reported: 04.05.2026 14:57

1 source, 1 article
Show sources
- Silver Fox Deploys ABCDoor Malware via Tax-Themed Phishing in India and Russia — thehackernews.com — 04.05.2026 14:57
ABCDoor supports persistence via Phantom Persistence, data collection (e.g., screenshots, clipboard contents), remote desktop control, file system operations, process management, and encrypted HTTPS C2 communications.
First reported: 04.05.2026 14:57

1 source, 1 article
Show sources
- Silver Fox Deploys ABCDoor Malware via Tax-Themed Phishing in India and Russia — thehackernews.com — 04.05.2026 14:57
Phantom Persistence intercepts system shutdown signals to trigger a forced reboot, executing the malware on OS startup under the guise of a system update.
First reported: 04.05.2026 14:57

1 source, 1 article
Show sources
- Silver Fox Deploys ABCDoor Malware via Tax-Themed Phishing in India and Russia — thehackernews.com — 04.05.2026 14:57
Geofencing checks in RustSL variants include India, Indonesia, South Africa, Russia, Cambodia, and newer versions added Japan; China remains the default in the original GitHub variant.
First reported: 04.05.2026 14:57

1 source, 1 article
Show sources
- Silver Fox Deploys ABCDoor Malware via Tax-Themed Phishing in India and Russia — thehackernews.com — 04.05.2026 14:57
Silver Fox’s operational scope expanded from China to Taiwan and Japan around 2024, and later included India, Russia, Indonesia, South Africa, and Cambodia.
First reported: 04.05.2026 14:57

1 source, 1 article
Show sources
- Silver Fox Deploys ABCDoor Malware via Tax-Themed Phishing in India and Russia — thehackernews.com — 04.05.2026 14:57
Over 1,600 phishing emails were flagged between early January and early February 2026, with the highest attack volumes observed in India, Russia, and Indonesia.
First reported: 04.05.2026 14:57

1 source, 1 article
Show sources
- Silver Fox Deploys ABCDoor Malware via Tax-Themed Phishing in India and Russia — thehackernews.com — 04.05.2026 14:57

Summary

Timeline

Silver Fox deploys ABCDoor backdoor via RustSL loader in tax-themed phishing campaigns targeting India and Russia

Information Snippets